We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack-buffer-overwrite in function heif_image_get_decoding_warnings
commit ID 33e00a4ec54e6fffca3febe3054017b1b81a0c49
$ ./examples/heif-convert -v 1.17.6 libheif: 1.17.6 plugin path: /usr/local/lib/libheif
$ ./examples/heif-convert --list-decoders HEIC decoders: - libde265 = libde265 HEVC decoder, version 1.0.4 AVIF decoders: - aom = AOMedia Project AV1 Decoder v1.0.0 JPEG decoders: JPEG 2000 decoders: uncompressed: no
git clone https://github.com/strukturag/libheif.git cd libheif CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake . make -j ./examples/heif-convert poc test.png
File contains 1 image ================================================================= ==4098626==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffce00 at pc 0x7ffff6f9a7a3 bp 0x7fffffffc630 sp 0x7fffffffc620 WRITE of size 16 at 0x7fffffffce00 thread T0 #0 0x7ffff6f9a7a2 in heif_image_get_decoding_warnings (/libheif/libheif/libheif.so.1+0xf97a2) #1 0x555555564b82 in main (/libheif/examples/heif-convert+0x10b82) #2 0x7ffff6a17082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #3 0x55555555fadd in _start (/libheif/examples/heif-convert+0xbadd) Address 0x7fffffffce00 is located in stack of thread T0 at offset 1712 in frame #0 0x5555555627df in main (/libheif/examples/heif-convert+0xe7df) This frame has 62 object(s): [32, 33) 'initializer' [96, 97) '<unknown>' [160, 161) '<unknown>' [224, 225) '<unknown>' [288, 289) '<unknown>' [352, 353) '<unknown>' [416, 417) '<unknown>' [480, 481) '<unknown>' [544, 545) '<unknown>' [608, 609) '<unknown>' [672, 673) '<unknown>' [736, 737) '<unknown>' [800, 801) '<unknown>' [864, 868) 'option_index' [928, 932) 'depth_id' [992, 1000) 'encoder' [1056, 1064) 'cr' [1120, 1128) 'handle' [1184, 1192) 'image' [1248, 1256) 'depth_handle' [1312, 1320) 'depth_image' [1376, 1384) '__for_begin' [1440, 1448) '__for_end' [1504, 1512) 'aux_handle' [1568, 1576) 'aux_image' [1632, 1640) 'auxTypeC' [1696, 1712) 'err' <== Memory access at offset 1712 overflows this variable [1760, 1784) 'image_IDs' [1824, 1848) 'auxIDs' [1888, 1912) 'ids' [1952, 1976) 'xmp' [2016, 2040) 'exif' [2080, 2112) '<unknown>' [2144, 2176) 'input_filename' [2208, 2240) 'output_filename_stem' [2272, 2304) 'output_filename_suffix' [2336, 2368) 'input_stem' [2400, 2432) '<unknown>' [2464, 2496) '<unknown>' [2528, 2560) '<unknown>' [2592, 2624) 'suffix_lowercase' [2656, 2688) 'filename' [2720, 2752) 'numbered_output_filename_stem' [2784, 2816) '<unknown>' [2848, 2880) '<unknown>' [2912, 2944) '<unknown>' [2976, 3008) '<unknown>' [3040, 3072) 'auxType' [3104, 3136) '<unknown>' [3168, 3200) '<unknown>' [3232, 3264) 'auxFilename' [3296, 3328) 'itemtype' [3360, 3392) 'contenttype' [3424, 3456) 'xmp_filename' [3488, 3520) 'exif_filename' [3552, 3928) 's' [3968, 4344) 's' [4384, 4760) 's' [4800, 5312) 'ostr' [5344, 5856) 'ostr' [5888, 6408) 'istr' [6464, 6476) 'magic' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/libheif/libheif/libheif.so.1+0xf97a2) in heif_image_get_decoding_warnings Shadow bytes around the buggy address: 0x10007fff7970: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 0x10007fff7980: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 0x10007fff7990: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 0x10007fff79a0: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 0x10007fff79b0: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 =>0x10007fff79c0:[f2]f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 0x10007fff79d0: 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 0x10007fff79e0: 00 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 0x10007fff79f0: 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 0x10007fff7a00: 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 0x10007fff7a10: 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4098626==ABORTING
https://github.com/fdu-sec/poc/blob/main/libheif/stack-buffer-overflow.heif
Description: Ubuntu 22.04.2 LTS gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Description
Stack-buffer-overwrite in function heif_image_get_decoding_warnings
Version
Replay
ASAN
PoC
https://github.com/fdu-sec/poc/blob/main/libheif/stack-buffer-overflow.heif
Environment
The text was updated successfully, but these errors were encountered: